fetchmail security announcement fetchmail-SA-2005-01

From: Matthias Andree (ma+nomail_at_dt.e-technik.uni-dortmund.de)
Date: 07/26/05

  • Next message: sylvain.roger_at_solucom.fr: "Vulnerability in IBM access"
    Date: Tue, 26 Jul 2005 17:44:08 +0200
    To: full-disclosure@lists.netsys.com, vulnwatch@vulnwatch.org, bugtraq@securityfocus.com
    
    

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    fetchmail-SA-2005-01: security announcement

    Topic: remote code injection vulnerability in fetchmail

    Author: Matthias Andree
    Version: 1.02
    Announced: 2005-07-21
    Type: buffer overrun/stack corruption/code injection
    Impact: account or system compromise possible through malicious
                    or compromised POP3 servers
    Danger: high: in sensitive configurations, a full system
                    compromise is possible
                    (for 6.2.5.1: denial of service for the whole fetchmail
                    system is possible)
    CVE Name: CAN-2005-2335
    URL: http://fetchmail.berlios.de/fetchmail-SA-2005-01.txt
                    http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=212762
                    http://www.vuxml.org/freebsd/3497d7be-2fef-45f4-8162-9063751b573a.html
                    http://www.vuxml.org/freebsd/3f4ac724-fa8b-11d9-afcf-0060084a00e5.html
                    http://www.freebsd.org/cgi/query-pr.cgi?pr=83805
                    http://www.heise.de/security/news/meldung/62070
    Thanks: Edward J. Shornock (located the bug in UIDL code)
                    Miloslav Trmac (pointed out 6.2.5.1 was faulty)
                    Ludwig Nussel (provided minimal correct fix)

    Affects: fetchmail version 6.2.5.1 (denial of service)
                    fetchmail version 6.2.5 (code injection)
                    fetchmail version 6.2.0 (code injection)
                    (other versions have not been checked)

    Not affected: fetchmail 6.2.5.2
                    fetchmail 6.2.6-pre7
                    fetchmail 6.3.0 (not released yet)

                    Older versions may not have THIS bug, but had been found
                    to contain other security-relevant bugs.

    Corrected: 2005-07-22 01:37 UTC (SVN) - committed bugfix (r4157)
                    2005-07-22 fetchmail-patch-6.2.5.2 released
                    2005-07-23 fetchmail-6.2.5.2 tarball released

    0. Release history

    2005-07-20 1.00 - Initial announcement
    2005-07-22 1.01 - Withdrew 6.2.5.1 and 6.2.6-pre5, the fix was buggy
                           and susceptible to denial of service through
                           single-byte read from 0 when either a Message-ID:
                           header was empty (in violation of RFC-822/2822)
                           or the UIDL response did not contain an UID (in
                           violation of RFC-1939).
                         - Add Credits.
                         - Add 6.2.5.1 failure details to sections 2 and 3
                         - Revise section 5 and B.
    2005-07-26 1.02 - Revise section 0.
                         - Add FreeBSD VuXML URL for 6.2.5.1.
                         - Add heise security URL.
                         - Mention release of 6.2.5.2 tarball.

    1. Background

    fetchmail is a software package to retrieve mail from remote POP2, POP3,
    IMAP, ETRN or ODMR servers and forward it to local SMTP, LMTP servers or
    message delivery agents.

    2. Problem description

    The POP3 code in fetchmail-6.2.5 and older that deals with UIDs (from
    the UIDL) reads the responses returned by the POP3 server into
    fixed-size buffers allocated on the stack, without limiting the input
    length to the buffer size. A compromised or malicious POP3 server can
    thus overrun fetchmail's stack. This affects POP3 and all of its
    variants, for instance but not limited to APOP.

    In fetchmail-6.2.5.1, the attempted fix prevented code injection via
    POP3 UIDL, but introduced two possible NULL dereferences that can be
    exploited to mount a denial of service attack.

    3. Impact

    In fetchmail-6.2.5 and older, very long UIDs can cause fetchmail to
    crash, or potentially make it execute code placed on the stack. In some
    configurations, fetchmail is run by the root user to download mail for
    multiple accounts.

    In fetchmail-6.2.5.1, a server that responds with UID lines containing
    only the article number but no UID (in violation of RFC-1939), or a
    message without Message-ID when no UIDL support is available, can crash
    fetchmail.

    4. Workaround

    No reasonable workaround can be offered at this time.

    5. Solution

    Upgrade your fetchmail package to version 6.2.5.2.

    You can either download a complete tarball of fetchmail-6.2.5.2.tar.gz,
    or you can download a patch against fetchmail-6.2.5 if you already have
    the 6.2.5 tarball. Either is available from:

    <http://developer.berlios.de/project/showfiles.php?group_id=1824>

    To use the patch:

      1. download fetchmail-6.2.5.tar.gz (or retrieve the version you already
         had downloaded) and fetchmail-patch-6.2.5.2.tar.gz
      2. unpack the tarball: gunzip -c fetchmail-6.2.5.tar.gz | tar xf -
      3. unpack the patch: gunzip fetchmail-patch-6.2.5.2.gz
      4. apply the patch: cd fetchmail-6.2.5 ; patch -p1 <../fetchmail-patch-6.2.5.2
      5. now configure and build as usual - detailed instructions in the file
         named "INSTALL".

    A. References

    fetchmail home page: <http://fetchmail.berlios.de/>

    B. Copyright, License and Warranty

    (C) Copyright 2005 by Matthias Andree, <matthias.andree@gmx.de>.
    Some rights reserved.

    This work is licensed under the Creative Commons
    Attribution-NonCommercial-NoDerivs German License. To view a copy of
    this license, visit http://creativecommons.org/licenses/by-nc-nd/2.0/de/
    or send a letter to Creative Commons; 559 Nathan Abbott Way;
    Stanford, California 94305; USA.

    THIS WORK IS PROVIDED FREE OF CHARGE AND WITHOUT ANY WARRANTIES.
    Use the information herein at your own risk.

    END OF fetchmail-SA-2005-01.txt
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.4.0 (GNU/Linux)

    iD8DBQFC5lpIvmGDOQUufZURAlv1AKCUuwHKgC/lln+fhYgt8Ba6VxI1WQCgpmBj
    SLivUn3+6/zifjC4Hnaw0uc=
    =PebP
    -----END PGP SIGNATURE-----


  • Next message: sylvain.roger_at_solucom.fr: "Vulnerability in IBM access"

    Relevant Pages

    • Re: Fetchmail sanity check
      ... >> server was installed with sendmail. ... >> one instance of fetchmail is still running when cron thinks ... and I also control the pop3 server at the ISP. ... poll mail..net protocol POP3 user bv is bv here fetchall ...
      (comp.unix.sco.misc)
    • pop3 mailfilter & exchange
      ... I get mail via pop3/ssl or imap/ssl from a MS Exchange server. ... I first connect with mailfilter to delete spam; ... then with fetchmail (either imap or pop3) to download the rest. ...
      (uk.comp.os.linux)
    • Re: Debian squeeze (testing) dns problems
      ... Configuring applications with IP rather that URL of server. ... fetchmail to retrieve mail from pop-server.triad.rr.com? ... POP3< +OK POP3 server ready. ...
      (Debian-User)
    • Re: Postfix delay?
      ... sylphedd)client that saids 'conecting to the smtp server at IP' ... fetchmail: starting fetchmail 6.3.6 daemon ... fetchmail: POP3< +OK dovecot ready. ... fetchmail: Server certificate verification error: self signed certificate ...
      (Debian-User)
    • Re: How many CALs do I need?
      ... >> that can be accessed by the external user. ... >> access to the server running Exchange Server by an unlimited number ... > some provision if such an EC type license were needed for SBS2003 ... > simple pop3. ...
      (microsoft.public.windows.server.sbs)